[imports]: Respect the crossOrigin attribute (bugzilla: 25568) #216
Labels
Comments
|
Any more thoughts on this issue? Being able to respect crossOrigin or have credentials="include|omit|same-origin" would be very helpful in the case of requesting an html import with credentials from a sandbox iframe which has an origin of null and cannot request a protected resource. |
|
I'm running into the same issue as @doug. Any updates? |
|
HTML Imports spec will be deprecated and |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Title: [imports]: Respect the crossOrigin attribute (bugzilla: 25568)
Migrated from: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25568
comment: 0
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25568#c0
Philip Rogers wrote on 2014-05-06 03:42:06 +0000.
The 7.4 Fetching Import section states "All imports ... must be loaded using the fetching algorithm with request's origin set to the origin of the master docment [SIC], the mode to CORS and the omit credentials mode to CORS."
Why is the crossOrigin attribute[1] not respected here? This would allow non-anonymous imports, for example.
[1] http://www.w3.org/html/wg/drafts/html/master/single-page.html#attr-link-media
comment: 1
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25568#c1
Morrita Hajime wrote on 2014-05-07 00:59:02 +0000.
This seems a reasonable addition.
comment: 2
comment_url: https://www.w3.org/Bugs/Public/show_bug.cgi?id=25568#c2
Morrita Hajime wrote on 2014-05-08 23:22:05 +0000.
...but turns out this is a bit tricky.
That's because cross-origin handling for imports is different from other resources.
We have to touch the definition of CORS setting attribute [1] so that referring
side can override the value of omitted case.
[1] http://www.whatwg.org/specs/web-apps/current-work/multipage/fetching-resources.html#cors-settings-attribute
The text was updated successfully, but these errors were encountered: